On Tue, Jul 15, 2014 at 09:06:55AM +0100, t.p. wrote:
MUAs should expose message origin when different from author.
Viktor,
A fine idea, but, as a pragmatic engineer, I know that changes to an MUA
will take five, may be ten, years to achieve widespread deployment,
whereas changes to MTA could happen in a matter of weeks, if needs must.
We could have started 5 years ago. Better late than never. The
problem being tackled has no instant gratification solutions.
Pretending the problem is simpler than it is has a way of coming
back to bite you. I've always held that no amount of sender origin
authentication will save the clueless from themselves, any real
protection is at the gateway, and the gateway sees all the headers.
In the mean-time "citibank.com.dukhovni.org" will look plausible
enough to the helpless and will not be foiled by DMARC.
The expedient approach has not worked, it should have been done right
long ago, and should still be done right in the present.
--
Viktor.